Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2097757

Summary: yum update --security
Product: Red Hat Enterprise Linux 8 Reporter: jcastran
Component: dnfAssignee: amatej
Status: CLOSED ERRATA QA Contact: Eva Mrakova <emrakova>
Severity: high Docs Contact: Mariya Pershina <mpershin>
Priority: high    
Version: 8.6CC: amatej, james.antill, mbanas
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: dnf-4.7.0-11.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2101398 (view as bug list) Environment:
Last Closed: 2022-11-08 10:47:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2101398    

Description jcastran 2022-06-16 13:10:28 UTC 
Description of problem:
yum update --security is not applying security updates that are available

Version-Release number of selected component (if applicable):


Steps to Reproduce:
1. # mkdir /test/
2. # tar xf rpm_db.tar.bz2 -C /test/
3. # yum --installroot=/test/ update kexec-tools --security --assumeno
4. # yum --installroot=/test/ update --security --assumeno

Actual results:
 * yum updateinfo list sec   ###Shows errata as available
 * yum update --security     ###kexec-tools is not updated
 * yum update kexec-tools --security    ###Shows an update which means its security related


Expected results:
yum update --security should apply updates when applicable

Additional info:
Comment 1 amatej 2022-06-23 07:57:08 UTC 
A quick solution would be to use the best option (which is the default).

But we are working on a general fix: https://github.com/rpm-software-management/dnf/pull/1832
And tests: https://github.com/rpm-software-management/ci-dnf-stack/pull/1130

Thank you for the report.
Comment 3 jcastran 2022-06-27 11:46:16 UTC 
> A quick solution would be to use the best option (which is the default).

best is applied by default and does not make a difference.
- - - - - - - - - 
[root@r8 ~]# grep best /etc/yum.conf
best=True


[root@r8 ~]# tar xf rpmdb.tar.bz2 -C /test/


[root@r8 ~]# yum --installroot=/test/ updateinfo list sec | grep -iE kexec
RHSA-2021:4404 Low/Sec.       kexec-tools-2.0.20-57.el8.x86_64


[root@r8 ~]# yum --installroot=/test/ update --security --assumeno
==============================================================================================
 Package               Arch     Version              Repository                          Size
==============================================================================================
Upgrading:
 cups-libs             x86_64   1:2.2.6-45.el8_6.2   rhel-8-for-x86_64-baseos-rpms      435 k
 grub2-common          noarch   1:2.02-123.el8_6.8   rhel-8-for-x86_64-baseos-rpms      893 k
 grub2-pc              x86_64   1:2.02-123.el8_6.8   rhel-8-for-x86_64-baseos-rpms       44 k
 grub2-pc-modules      noarch   1:2.02-123.el8_6.8   rhel-8-for-x86_64-baseos-rpms      920 k
 grub2-tools           x86_64   1:2.02-123.el8_6.8   rhel-8-for-x86_64-baseos-rpms      2.0 M
 grub2-tools-efi       x86_64   1:2.02-123.el8_6.8   rhel-8-for-x86_64-baseos-rpms      477 k
 grub2-tools-extra     x86_64   1:2.02-123.el8_6.8   rhel-8-for-x86_64-baseos-rpms      1.1 M
 grub2-tools-minimal   x86_64   1:2.02-123.el8_6.8   rhel-8-for-x86_64-baseos-rpms      211 k
 rsyslog               x86_64   8.2102.0-7.el8_6.1   rhel-8-for-x86_64-appstream-rpms   753 k
 rsyslog-gnutls        x86_64   8.2102.0-7.el8_6.1   rhel-8-for-x86_64-appstream-rpms    32 k
 rsyslog-gssapi        x86_64   8.2102.0-7.el8_6.1   rhel-8-for-x86_64-appstream-rpms    34 k
 rsyslog-relp          x86_64   8.2102.0-7.el8_6.1   rhel-8-for-x86_64-appstream-rpms    34 k
 xz                    x86_64   5.2.4-4.el8_6        rhel-8-for-x86_64-baseos-rpms      153 k
 xz-libs               x86_64   5.2.4-4.el8_6        rhel-8-for-x86_64-baseos-rpms       94 k

Transaction Summary
==============================================================================================
Upgrade  14 Packages

Total download size: 7.0 M
Operation aborted.



[root@r8 ~]# yum --installroot=/test/ update kexec-tools --security --assumeno
==============================================================================================
 Package               Arch    Version                   Repository                      Size
==============================================================================================
Upgrading:
 dracut                x86_64  049-201.git20220131.el8   rhel-8-for-x86_64-baseos-rpms  376 k
 dracut-config-rescue  x86_64  049-201.git20220131.el8   rhel-8-for-x86_64-baseos-rpms   61 k
 dracut-network        x86_64  049-201.git20220131.el8   rhel-8-for-x86_64-baseos-rpms  109 k
 dracut-squash         x86_64  049-201.git20220131.el8   rhel-8-for-x86_64-baseos-rpms   62 k
 kexec-tools           x86_64  2.0.20-68.el8             rhel-8-for-x86_64-baseos-rpms  523 k

Transaction Summary
==============================================================================================
Upgrade  5 Packages

Total download size: 1.1 M
Operation aborted.
Comment 5 amatej 2022-06-28 07:00:34 UTC 
I think best does make a difference.

Can you try?
[root@r8 ~]# yum --installroot=/test/ update --security --assumeno --best

-----

> [root@r8 ~]# grep best /etc/yum.conf
> best=True
This shouldn't affect your run because this is the host's config but you are running with installroot and it prioritizes the installroot's config first (which doesn't have best specified).

The problem is that best is the default on RHEL in the sense that it is the default configuration specified in dnf.conf: best=True, but if it is removed (like in the customer's config) dnf's default without any config is False.
Comment 14 errata-xmlrpc 2022-11-08 10:47:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (dnf bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7712